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Memorandum of Understanding between the Information 
Commissioner and Ofcom 


Introduction 


L; This Memorandum of Understanding (MoU) establishes a framework 
for cooperation and information sharing between the Information 
Commissioner ("the Commissioner") and the Office of 
Communications (“Ofcom”), collectively referred to as "the 
parties” throughout this document. In particular, it sets out the 
broad principles of collaboration and the legal framework governing 
the sharing of relevant information and intelligence between the 
parties. The shared aims of this MoU are to enable closer working 
between the parties, including the exchange of appropriate 
information, so as to assist them in discharging their regulatory 
functions. 


2. This MoU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or 
Ofcom. The parties have determined that they do not exchange 
sufficient quantities of personal data to warrant entering into a 
separate data sharing agreement, but this will be kept under 
review. 


The role and function of the Information Commissioner 


3. The Commissioner is a corporation sole appointed by Her Majesty 
the Queen under the Data Protection Act 2018 to act as the UK’s 
independent regulator to uphold information rights in the public 
interest, promote openness by public bodies and data privacy for 
individuals. 


4. The Commissioner is empowered to take a range of regulatory 
action for breaches of the following legislation: 


e Data Protection Act 2018 (DPA); 
e General Data Protection Regulation (GDPR); 


e Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (PECR); 
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e Freedom of Information Act 2000 (FOIA); 
e Environmental Information Regulations 2004 (EIR); 


e Environmental Protection Public Sector Information 
Regulations 2009 (INSPIRE Regulations); 


e Investigatory Powers Act 2016; 
e Re-use of Public Sector Information Regulations 2015; 
e Enterprise Act 2002; 


e Security of Network and Information Systems Directive (NIS 
Directive); and 


e Electronic Identification, Authentication and Trust Services 
Regulation (eIDAS). 


5. Article 57 of the GDPR and Section 115(2)(a) of the DPA 2018 place 
a broad range of statutory duties on the Commissioner, including 
monitoring and enforcement of the GDPR, promotion of good 
practice and adherence to the data protection obligations by those 
who process personal data. These duties sit alongside those relating 
to the other enforcement regimes outlined in paragraph 4 above. 


6. The Commissioner’s regulatory and enforcement powers include: 


e conducting assessments of compliance with the DPA, GDPR, 
PECR, eIDAS, the NIS Directive, FOIA and EIR; 


e issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an 
investigation; 


e issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions 
by an individual or organisation to resolve breaches (including 
potential breaches) of data protection legislation and other 
information rights obligations; 


e administering fines by way of penalty notices in the 
circumstances set out in section 155 of the DPA; 
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e administering fixed penalties for failing to meet specific 
obligations (such as failing to pay the relevant fee to the 
Commissioner); 


e issuing decision notices detailing the outcome of an 
investigation under FOIA or EIR; 


e certifying contempt of court should an authority fail to comply 
with an information notice, decision notice or enforcement 
notice under FOIA or EIR; and 


e prosecuting criminal offences before the Courts. 


Regulation 31 of PECR, as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011, 
also provides the Commissioner with the power to serve 
enforcement notices and issue monetary penalty notices as above 
to organisations who breach PECR. This includes, but is not limited 
to, breaches in the form of unsolicited marketing which falls within 
the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 


Functions and powers of Ofcom 


8. 


10. 


Ofcom is the independent national regulatory authority for the UK’s 
communications industries, with responsibilities across broadcasting 
(television and radio), telecommunications, spectrum and postal 
services. Ofcom is also a national competition authority with 
concurrent powers with the CMA to enforce competition law in 
relation to communications matters. 


Ofcom’s principal duties, set out in the Communications Act 2003, 
are to further the interests of citizens in relation to communications 
matters and to further the interests of consumers in relevant 
markets, where appropriate by promoting competition. 


Ofcom has functions and powers that enable a range of regulatory 
action, including: 


e promoting media literacy under section 11 Communications 
Act 2003; 
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e setting and enforcing conditions under sections 45-52 of the 
Communications Act; 


e conducting market studies in relation to communications 
matters under the Enterprise Act 2002 and Communications 
Act 2003; 


e applying ex post competition law in relation to 
communications matters under the Enterprise Act 2002 and 
the Communications Act 2003; 


e enforcing certain consumer regulation under Part 8 of the 
Enterprise Act 2002; 


e enforcing requirements relating to net neutrality under Articles 
3, 4 and 5 of the Open Internet Access Regulation 2015 and 
the Open Internet Access (EU Regulation) Regulations 2016; 
and 


e taking action against persistent misuse of electronic 
communications networks and services under ss.128-130 
Communications Act 2003. Ofcom can take action under 
these provisions where it has reasonable grounds for believing 
that a person has persistently misused an electronic 
communications network or service in any way that causes, or 
is likely to cause, unnecessary annoyance, inconvenience or 
anxiety to another person. 


Purpose of information sharing 


11. 


12. 


The purpose of the MoU is to enable the parties to share relevant 
information which enhances their ability to exercise their respective 
functions. 


This MoU should not be interpreted as imposing a requirement on 
either party to disclose information in circumstances where doing so 
would breach their statutory responsibilities. In particular, each 
party must ensure that any disclosure of personal data pursuant to 
these arrangements fully complies with both the GDPR and the DPA 
2018. The MoU sets out the potential legal framework for 
information sharing, but it is for each party to determine for 
themselves that any proposed disclosure is compliant with the law. 
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Principles of cooperation and sharing 


13. 


14. 


15. 


16. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at its discretion, 
Ofcom will alert the Commissioner to any potential breaches of the 
legislation regulated by the Commissioner discovered whilst 
undertaking regulatory duties, and provide relevant and necessary 
supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at her discretion, 
the Commissioner will alert Ofcom to any potential breaches of the 
legislation regulated or applied by Ofcom discovered whilst 
undertaking regulatory duties, and provide relevant and necessary 
supporting information. 


Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
the parties will: 


e Communicate regularly to discuss matters of mutual interest 
and seek to work together to find appropriate ways to 
effectively protect consumers. This may involve engagement 
on the development of potential policy interventions, the 
implementation of new or updated policies, application and 
interpretation of rules and/or guidance as well as participating 
in multi-agency groups to address common issues and 
threats; and 


e Consult one another on any issues which might have 
significant implications for the other organisation. 


The parties will comply with the general laws they are subject to, 
including, but not limited to, local data protection laws; the 
maintenance of any prescribed documentation and policies; and 
comply with any governance requirements in particular relating to 
security and retention, and process personal data in accordance 
with the statutory rights of individuals. 
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Legal bases for sharing information 


Information shared by Ofcom with the Commissioner 


17. 


18. 


19. 


20. 


The Commissioner's statutory function relates to the legislation set 
out at paragraph 4, and this MoU governs information shared by 
Ofcom to assist the Commissioner to meet those responsibilities. 

To the extent that any such shared information comprises personal 
data, as defined under the GDPR and DPA 2018, Ofcom is a Data 
Controller so must ensure that it has a lawful basis to share it and 
that doing so would otherwise be compliant with the data protection 
principles. It must also ensure that sharing the information in 
question is consistent with its legal powers. 


Section 131 of the Data Protection Act 2018 may provide both the 
lawful basis, from a data protection perspective, and the legal 
power for Ofcom to share information with the Commissioner. 
Under this particular provision, Ofcom is not prohibited or restricted 
from disclosing information to the Commissioner by any other 
enactment or rule of law provided it is "information necessary for 
the discharge of the Commissioner's functions". 


Sections 393 of the Communications Act 2003 and 56 of the Postal 
Services Act 2011 may also provide the legal power for Ofcom to 
share certain types of information with the Commissioner, including 
where Ofcom has obtained the consent of the person carrying on 
the business to which the information pertains or where the 
disclosure is for the purpose of facilitating the carrying out by 
OFCOM of any of its functions. 


Where Ofcom has obtained information in exercise of competition 
functions exercisable concurrently with the Competition and Markets 
Authority (CMA), the legal power for sharing such information with 
the Commissioner may be found in Part 9 of the Enterprise Act 
2002, in particular sections 239 and 241. 


Information shared by the Commissioner with Ofcom 


2i. 


The Commissioner, during the course of her activities, will receive 
information from a range of sources, including personal data. She 
will process all personal data in accordance with the principles of 
the GDPR, the DPA 2018 and all other applicable legislation. The 
Commissioner may identify that information she holds, which may 
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22. 


23. 


include personal data, ought to be shared with Ofcom as it would 
assist them in performing their functions. 


Section 132(1) of the DPA 2018 states that the Commissioner can 
only share confidential information with others if there is lawful 
authority to do so. In this context, the information will be 
considered confidential if has been obtained by, or provided to, the 
Commissioner in the course of, or for the purposes of, discharging 
her functions, relates to an identifiable individual or business, and is 
not otherwise available to the public from other sources. This 
therefore includes, but is not limited to, personal data. Section 
132(2) of the DPA 2018 sets out the circumstances in which the 
Commissioner will have the lawful authority to share such 
information, including with Ofcom. The circumstances in which 
sharing is made with lawful authority include: 


e The sharing was necessary for the purpose of the 
Commissioner discharging her functions (section 132(2)(c)); 


e The sharing was made for the purposes of criminal or civil 
proceedings, however arising (section 132(2)(e)); or 


e The sharing was necessary in the public interest, taking into 
account the rights, freedoms and legitimate interests of any 
person (section 132(2)(f)). 


The Commissioner will therefore be permitted to share information 
with Ofcom where the circumstances provided in section 132(2) 
exist. In doing so, the Commissioner will identify the function of 
Ofcom with which that information may assist, and, where relevant, 
assess whether that information is necessary for the discharge of a 
function. In particular, where the information proposed for sharing 
with Ofcom amounts to personal data the Commissioner will 
consider whether it is necessary to provide it in an identifiable form 
in order for Ofcom to perform its functions, or whether disclosing it 
in an anonymised form would suffice. Such an assessment by the 
Commissioner will be informed by discussions with Ofcom on the 
purposes for which it is being shared. 
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24. 


If information to be disclosed by the Commissioner was received by 
her in the course of discharging her functions as a designated 
enforcer under the Enterprise Act 2002, any disclosure shall be 
made in accordance with the restrictions set out in Part 9 of that 
Act. 


Other information sharing 


25. 


26. 


Where information is to be disclosed by either party for law 
enforcement purposes under section 35(4) or 35(5) of the DPA 
2018 then they will only do so in accordance with an appropriate 
policy document as outlined by section 42 of the DPA 2018. 


Where a request for information is received by either party under 
data protection laws, FOIA or EIR, and where the information being 
sought under that request includes information obtained from, or 
shared by, the other party, the receiving party will have regard to 
the FOIA section 45 Code of Practice and the EIR Regulation 16 
Code of Practice, as appropriate. However, the decision to disclose 
or withhold the information (and therefore any liability arising out of 
that decision) remains with the party in receipt of the request, 
either as Controller in respect of that data or the public authority 
that holds the information under FOIA or EIR (depending on the 
nature of the information being sought). 


Method of exchange 


27. 


Appropriate security measures shall be agreed to protect 
information transfers in accordance with the sensitivity of the 
information and any classification that is applied by the sender. 


Confidentiality and data breach reporting 


28. 


29, 


Where confidential material is shared between the parties it will be 
marked with the appropriate security classification. 


Where one party has received information from the other, it will 
consult with the other party before passing the information to a 
third party or using the information for the purposes of an 
enforcement or other legal proceeding. 
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30. 


Where confidential material obtained from, or shared by, the 
originating party is wrongfully disclosed by the party holding the 
information, this party will bring this to the attention of the 
originating party without delay. This is in addition to obligations to 
report a personal data breach under the GDPR and/or DPA where 
personal data is contained in the information disclosed. 


Duration and review of the MoU 


31. 


32. 


33. 


The parties will monitor the operation of this MoU and will review it 
biennially. 


Any minor changes to this memorandum identified between reviews 
may be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation. 


Key contacts 


34. 


35. 


36. 


The parties have both identified a key person who is responsible for 
managing this MoU: 


Information Ofcom 
Commissioner's Office 


Address: Wycliffe House, 
Water Lane, Wilmslow, SK9 Address: 2a Southwark Bridge 
5AF Road, London, SE1 9HA 


Those individuals will maintain an open dialogue between each 
other in order to ensure that the MoU remains effective and fit for 
purpose. They will also seek to identify any difficulties in the 
working relationship, and proactively seek to minimise the same. 
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Signatories 


Simon McDougall, Executive 
Director, Information 
Commissioner's Office 


Selina Chadha, Director of 
Consumer Policy, Ofcom 


Date: 9/ 77 19 


Date: 10.7.19 


